JS-Tap

JS-Tap provides a generic JavaScript payload and supporting software to help red teams attack web applications. The payload can be used as an XSS payload or as a post exploitation implant. When used as an XSS payload it uses a novel persistence technique (iframe traps) to keep the payload running.

About JS-Tap

JS-Tap captures sensitive data as users interact with the application including screenshots of pages visited, HTML code, and inputs entered by the user (such as login credentials). Cookies and local storage are scraped, potentially disclosing sensitive session data. The payload can also intercept network traffic between the client and application server. All exfiltrated data is presented in the JS-Tap portal for analysis.

A C2 system allows custom JavaScript payloads to be assigned as tasks to tapped clients. This allows for targeting of application functionality not possible with the generic JS-Tap payload. To speed development of these custom JavaScript payloads, a payload builder can leverage intercepted network traffic to automatically create payloads that mimic the intercepted functionality. Written by Drew Kirkpatrick (@hoodoer).

How to get JS-Tap

https://github.com/hoodoer/JS-Tap (JS-Tap Repository)

Solutions

Services

About Us

JS-Tap